Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks
A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan.
"This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha said in a technical report published late last month.
Targets of the hacking group's attacks include embassies, lawyers, government-backed banks, and think tanks. It has been assessed to be a Kazakhstan-origin threat actor with a medium level of confidence.
The infections commence with a spear-phishing email containing a RAR archive attachment that ultimately acts as a delivery vehicle for malicious payloads responsible for granting remote access to the compromised hosts.
The first of the two campaigns, detected by the cybersecurity company on December 27, 2024, leverages the RAR archive to launch an ISO file that, in turn, includes a malicious C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that uses Telegram bots (named "@south_korea145_bot" and "@south_afr_angl_bot") for command execution and data exfiltration.
Some of the commands executed via the bots include curl commands to download and save additional payloads from a remote server ("pweobmxdlboi[.]com") or Google Drive.
The other campaign, in contrast, employs a malicious RAR archive containing two files: A decoy PDF and a Golang executable, the latter of which is designed to establish a reverse shell to an attacker-controlled server ("185.122.171[.]22:8082").
Seqrite Labs said it observed some level of tactical overlaps between the threat actor and YoroTrooper (aka SturgeonPhisher), which has been linked to attacks targeting the Commonwealth of Independent States (CIS) countries using PowerShell and Golang tools.
"Silent Lynx's campaigns demonstrate a sophisticated multi-stage attack strategy using ISO files, C++ loaders, PowerShell scripts, and Golang implants," Singha said.
"Their reliance on Telegram bots for command and control, combined with decoy documents and regional targeting which also highlights their focus on espionage in Central Asia and SPECA based nations."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
CWE-1320 Improper Protection for Outbound Error Messages and Alert Signals
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-1070 Serializable Data Element Containing non-Serializable Item Elements
MediumCWE-1275 Sensitive Cookie with Improper SameSite Attribute
HighCWE-640 Weak Password Recovery Mechanism for Forgotten Password
Free online web security scanner
